IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-02-25 18:45:20 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: Adding 2024-10-09 TSC summary (#2059)

Browse Source 
Signed-off-by: Yousif Akbar <11247449+yhakbar@users.noreply.github.com>
This commit is contained in:
Yousif Akbar 2024-10-09 14:35:05 -04:00 committed by GitHub
parent 8b0b5b271b
commit 7fddff6ba4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
TSC_SUMMARY.md
View File

@ -8,6 +8,49 @@ The Technical Steering Committee is a group comprised of people from companies a
- Wojciech Barczynski ([@wojciech12](https://github.com/wojciech12)) representing Spacelift Inc.
- Zach Goldberg ([@ZachGoldberg](https://github.com/ZachGoldberg)) representing Gruntwork, Inc.
## 2024-10-01
### Attendees
- Christan Mesh ([@cam72cam](https://github.com/cam72cam)) (OpenTofu Tech Lead)
- Roger Simms ([@allofthesepeople](https://github.com/allofthesepeople))
- Igor Savchenko ([@DiscyDel](https://github.com/DicsyDel))
- Yousif Akbar ([@yhakbar](https://github.com/yhakbar)) (On behalf of Zach Goldberg)
### Agenda
#### Static Evaluation Sensitivity Bug
- Christian: I'm working on a draft to report a security issue with static evaluation of variables.
- It can lead to variables marked sensitive being exposed, due to the fact that static
evaluation of sensitive variables in module sources, versions, etc might
result in sensitive values being written to disk.
- What is the best way to tackle breaking this behavior? Should it be removed in a patch release?
- Igor: This is an issue, but breaking behavior in a patch release is not ideal.
- It might be best to fix it in a minor release.
- There's risk that some users consider a breaking change like this really surprising.
- Yousif: I agree with Igor. The behavior should be addressed in a minor release.
- In the interim, would it be possible to emit a warning when users are using sensitive variables in contexts
that might expose them?
- Users could then be made aware of the issue and take steps to mitigate it before the fix is released.
- We could also consider adding a flag to opt-in to allowing sensitive variables in these contexts.
- Christian: I'll look into adding a warning, but I'm not sure there's a sensible reason to use sensitive variables in these contexts.
- Igor: Many community members asked for this functionality to be able to include tokens for fetching private modules.
- They'll rely on the ability to use sensitive variables in contexts where they might be exposed in `.terraform.lock.hcl` files.
- Christian: That's a good point. Users might need a mechanism to opt-in to existing behavior.
- I'll report this issue, then communicate the plan to address it with a warning in a patch, and fix it in a minor release.
#### OpenTofu Registry Policy
This topic is complex, and the committee is working to finalize a policy that will be acceptable to all parties.
To avoid harassment of any committee members, the comments made by individual members will not be attributed to them in the minutes.
It was discussed that the policy should be clear on what the OpenTofu Steering Committee must do by law,
and how much flexibility the committee has in making decisions.
The committee agreed to revisit the topic in the following meeting.
## 2024-08-20
### Attendees